Hi BugTraq reader, I would like to inform you about security issue in DirectX Files Viewer control was available on ActiveX gallery page http://activex.microsoft.com/activex site but fixed not so long time ago. ========================================================= Overview: Risk: High Distribution: Low-Medium Patch available from vendor: True Systems Affected: Systems having Microsoft DirectX Files Viewer xweb.ocx (2,0,16,15 and possibly older) Impact: A remote attacker may be able to execute arbitrary code with the privileges of the current user. Description: A buffer overflow exists in the "File" parameter of the Microsoft DirectX Files Viewer ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. This vulnerability affects users visited ActiveX samples galery at activex.microsoft.com. Since the control is signed by Microsoft, users of Microsoft's Internet Explorer (IE) who accept and install Microsoft-signed ActiveX controls are also affected. This control was also available for direct download from the web, but can be uploaded on any website. The <object> tag could be used to embed the ActiveX control in a web page. If an attacker can trick the user into visiting a malicious site or the attacker sends the victim a web page as an HTML-formatted email message or newsgroup posting then this vulnerability could be exploited. This acceptance and installation of the control can occur automatically within IE for users who trust Microsoft-signed ActiveX controls. When the web page is rendered, either by opening the page or viewing the page through a preview pane, the ActiveX control could be invoked. Likewise, if the ActiveX control is embedded in a Microsoft Office (Word, Excel, etc.) document, it may be executed when the document is opened. Vendor Information: secureat_private was informed on 9.May.2002. MSRC 1149cb ticket was opened and finaly resolved on 25.Jun.2002 Solution: Apply a latest IE/OS patches available from Microsoft: Setting kill bit expected to be included in latest IE Service pack. Windows 2000 SP3 and Windows XP SP1 expected to solve this problem. Links: ActiveX control still available for retrieval from Global Internet "backup copy": http://web.archive.org/web/20010410194632/http://activex.microsoft.com/activex/controls/directx/xweb.htm Feedback can be directed to the author: -- Andrew G. Tereschenko secureat_private TAG Software Research Lab Odessa, Ukraine
This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 15:58:20 PDT